TextSecure user, and I can verify this as accurate.
When I first saw the stagefright bug, I looked for a way to disable MMS in the app. There is no way to disable MMS in the app, so I had a friend MMS me a message, and I got the warning as the post describes.
Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design.
The kind of folks running TextSecure have already made an effort to install a replacement messaging application, hopefully this helps them also pay attention to the warning.
If nothing else it'll slightly slow down a worm utilising this exploit...
First of all, TextSecure does display pictures in MMS. It just doesn't call out to stagefright to do so. I've never recieved a video message, so don't know how that works.
Second of all, the difference between a 0-click infection and a 1-click infection is huge in terms of time it takes for a worm to spread.
As a digital and security training for human rights defenders and journalists all over the world - this is one of the reasons why I try as hard as possible to push the awesome work of the WhisperSystems team and Moxie.
Err wow I didn't think me raising an issue on Github would put me on the frontpage of HN. But I am glad to see that they handle this well by default - another reason why I will be keeping it!
From what I've seen, the bug doesn't affect iOS devices, so while I have no idea whether the behavior between TextSecure and Telegram is the same, iOS isn't vulnerable either way.
Even if your friends don't yet use TextSecure, you can still send / receive messages with them; when they do (if they do) get TextSecure, then messages can be encrypted -- until then, they will be as insecure [and with privacy issues] as normal default messaging.
So, what do you lose if you use TextSecure ... even if your friends don't or won't use it? What is the problem?
This is a great example of where usability and security meet. Auto downloading MMS messages is certainly much nicer from a UX perspective. However it can lead to bugs as we are witnessing.
27 comments
[ 3.2 ms ] story [ 72.8 ms ] threadWhen I first saw the stagefright bug, I looked for a way to disable MMS in the app. There is no way to disable MMS in the app, so I had a friend MMS me a message, and I got the warning as the post describes.
Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design.
My take based on Moxie's comment. Good design.
If nothing else it'll slightly slow down a worm utilising this exploit...
Second of all, the difference between a 0-click infection and a 1-click infection is huge in terms of time it takes for a worm to spread.
... Oh they implemented it last month :D https://github.com/WhisperSystems/TextSecure/issues/222
Alternately, disable MMS auto-processing.
https://imgur.com/xaAsWZY
So, what do you lose if you use TextSecure ... even if your friends don't or won't use it? What is the problem?
I think they struck a good medium.